Re: Browser mode for nautilus

From: Lennart Poettering <mzerqung 0pointer de>

To: fedora-desktop-list redhat com

Subject: Re: Browser mode for nautilus

Date: Mon, 27 Oct 2008 21:49:24 +0100

On Mon, 27.10.08 15:25, seth vidal (skvidal fedoraproject org) wrote:
> If you'd like to have a CV-off with regard to security awareness and
> actual experience maintaining and securing systems and networks, I'd be
> happy to do so.
>
> Disabling firewalls on individual systems be they desktops or servers is
> a BAD idea. Full stop.
That is nonsense.
Firewalls on a desktop make no sense, and David is right is that it is
a relic and not much more. It's paranoia at best to keep this
installed by default.
Why are desktop firewalls wrong?
1) they are not dynamic. In times where laptops are constantly moving
between networks, with stuff like zeroconf or dynamicly assigned
port numbers they would need to adapt dynamically to the
circumstances. However, right now they are single system-wide
static rule table.
2) They do very very superficial security checking only. They hence
give a false sense of security. Also, DNS or DHCP traffic is
usually allowed without any inspection. Which makes the whole thing
a joke. And then, using stuff like by-ip-range rules is
treacherous -- IP addresses can be faked and it times von NAT not
unique.
3) They are redundant -- it's just a second line of defense. If you
don't trust a service you run then maybe you shouldn't be running
it at all. The way we have it right now on the desktop is that the
firewall is mostly just a second line of why-the-fuck-is-my-stuff-not-working.
Firewalls do make sense -- on routers and on servers -- but not so
much on desktops. If you want to make them somewhat sensible on
desktops then you'd have to fix issue #1 above. That means, you have
to add some way that applications may issue requests to punch holes in
the firewall. Which is kind of pointless, since calling listen()
should implicitly be just this kind of request. And if it is, then the
firewall is entirely redundant.
On routers and on servers it makes sense to use by-ip-range rules and
a lot of other fancier rules. However, on the desktop -- because they
move all the time between networks -- that makes no sense. So
basically the desktop firewall boils down to globally allowing or
globally not allowing connections to certain ports. And you know what?
If that's all what a desktop fw is about, then they are completely
made redundant by listen().
Also, let's note that last time I checked Ubuntu as one popular
example it didn't install a firewall on the desktop. Instead they simply
have a strict policy about which services may listen on a port by
default. And that's exactly what we should be doing, too. On Ubuntu
only very few services may listen on a port by default, one being
Avahi. And those services were of course very closely checked before
they were whitelisted.
That said, it would make sense to add some option to NM to mark a
specific network as "not trusted -- web only" in which case mDNS and
everything else would be blocked and only HTTP/DNS/DHCP would be let
through. But that be optional -- and dynamic. Without that desktop
firewalls are useless and everyone who wants to get work done disables
them anyway. So let's disable them by default, too!
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net ICQ# 11060553
http://0pointer.net/lennart/ GnuPG 0x1A015CC4